Invalid backup flags combination BS=1 BE=0 accepted #128
Description
Problem
AuthenticatorData::_readFlags() parses the Backup Eligible (BE, bit 3) and Backup State (BS, bit 4) flags but does not validate the constraint between them.
Per the W3C WebAuthn spec (§6.3.3 Authenticator Data / Level 3 §6.1), the combination BS=1, BE=0 is invalid — a credential cannot claim to be backed up if it is not eligible for backup.
| BE | BS | Meaning |
|---|---|---|
| 0 | 0 | Not backup eligible, not backed up |
| 1 | 0 | Backup eligible, not yet backed up |
| 1 | 1 | Backup eligible, currently backed up |
| 0 | 1 | Invalid — cannot be backed up without being eligible |
Currently, crafted authenticatorData with BS=1, BE=0 is accepted without error. Relying parties that use getIsBackupEligible() and getIsBackup() for policy decisions could act on an impossible state.
Suggested fix
Add validation in _readFlags() after the named flags are assigned:
if ($flags->isBackup && !$flags->isBackupEligible) {
throw new WebAuthnException('invalid backup flags: BS without BE', WebAuthnException::INVALID_DATA);
}